The U.S. Securities and Exchange Commission (SEC) has recently proposed new rules that underscore the importance of not just defending against, but also recovering from, cyber incidents in the financial sector. As we face an increasing number of sophisticated cyber threats, the ability to bounce back and maintain business continuity is paramount.
Key takeaways from the SEC proposals include:
- Robust cybersecurity policies: All market entities will be required to establish, maintain, and enforce written policies and procedures to address their cybersecurity risks. These policies must be reviewed and assessed at least annually.
- Incident reporting: Entities will be required to give the SEC immediate written electronic notice of a significant cybersecurity incident.
- Recovery measures for covered entities: Covered entities, which include most market entities, except certain small broker-dealers, will be subject to additional requirements. These include measures to detect, respond to, and recover from a cybersecurity incident and procedures to create written documentation of any cybersecurity incident, the response, and the recovery procedure.
- Public disclosure of cybersecurity incidents: Covered entities will be required to publicly disclose summary descriptions of the cybersecurity risks and significant incidents they experienced during the current or previous calendar year, including their efforts to respond to and recover from the incident.
These proposed rules highlight the importance of having well-defined and exercised cyber recovery runbooks for your mission-critical applications and services. As leaders in the financial sector I know you are not only focusing on preventing cyber incidents but also on your ability to recover and maintain business services when they do occur.